Changelog

Tomcat 10.1.0-M5 (markt)

Catalina

  • Fix: Enable Tomcat to start if an (old) XML parser is configured that does not support allow-java-encodings. A warning will be logged if such an XML parser is detected. (markt)
  • Fix: Change the behaviour of custom error pages. If an error occurs after the response is committed, once the custom error page content has been added to the response the connection is now closed immediately rather than closed cleanly. i.e. the last chunk that marks the end of the response body is no longer sent. This acts as an additional signal to the client that the request experienced an error. (markt)
  • Fix: 65479: When handling requests using JASPIC authentication, ensure that PasswordValidationCallback.getResult() returns the result of the password validation rather than always returning false. Fixed via pull request #438 provided by Robert Rodewald. (markt)
  • Update: Improve the reusability of the UserDatabase by adding intermediate concrete implementation classes and allowing to do partial database updates on save. (remm)
  • Code: Refactor the authenticators to delegate the check for preemptive authentication to the individual authenticators where an authentication scheme specific check can be performed. Based on pull request #444 by Robert Rodewald. (markt)
  • Add: Add a UserDatabase implementation as a superset of the DataSourceRealm functionality. (remm)
  • Fix: Make sure the dynamic Principal returned by UserDatabaseRealm stays up to date with the database contents, and add an option to have it be static, similar to the other realms. (remm)
  • Add: Add derby-*.jar to the list of JARs to skip when scanning for TLDs, web fragments and annotations. (markt)
  • Fix: #447. Correct JPMS metadata for catalina.jar. Pull request provided by Hui Wang. (markt)

Coyote

  • Fix: Correct a logic error that meant setting certificateKeystoreFile to NONE did not have the expected effect. NONE was incorrectly treated as a file path. Patch provided by Mikael Sterner. (markt)
  • Code: Remove the deprecated APR/Native connector which includes the HTTP APR and the AJP APR connector. Also remove the Java interfaces to the APR/Native library that are not used by the OpenSSL integration for the NIO and NIO2 connectors. (markt)
  • Code: Refactor the JSSE/OpenSSL integration to avoid the use of finalize(). (markt)
  • Fix: 65505: When an HTTP header value is removed, ensure that the order of the remaining header values is unchanged. (markt)

WebSocket

  • Fix: 65506: Fix write timeout check that was using the read timeout value. Patch submitted by Gustavo Mahlow. (remm)

Web applications

  • Fix: Remove unnecessary Context settings from the examples web application. (markt)
  • Fix: Document default value for unpackWARs and related clean-up. Pull request #439 provided by Robert Rodewald. (markt)
  • Fix: Clarify the documentation of the compressionMinSize and compressibleMimeType HTTP Connector attributes. Pull request #442 provided by crisgeek. (markt)

Tribes

  • Code: Refactor the ParallelNioSender to avoid the use of finalize(). (markt)

Other

  • Fix: Fix failing build when building on non-English locales. Pull request #441 provided by Dachuan J. (markt)
  • Update: Update to JSign version 4.0 to enable code signing without the need for the installation of additional client tools. (markt)
  • Update: Add Apache Derby 10.15.2.0 to the testsuite dependencies, for JDBC and DataSource testing. (remm)
  • Add: Update the internal fork of Apache Commons BCEL to 40d5eb4 (2021-09-01, 6.6.0-SNAPSHOT). Code clean-up only. (markt)
  • Add: Update the internal fork of Apache Commons Codec to fd44e6b (2021-09-01, 1.16-SNAPSHOT). Minor refactoring. (markt)
  • Add: Update the internal fork of Apache Commons FileUpload to 33d2d79 (2021-09-01, 2.0-SNAPSHOT). Refactoring and code clean-up. (markt)
  • Add: Update the internal fork of Apache Commons Pool to 2.11.1 (2021-08-17). Improvements, code clean-up and refactoring. (markt)
  • Add: Update the internal fork of Apache Commons DBCP to 2.9.0 (2021-08-03). Improvements, code clean-up and refactoring. (markt)
  • Update: Update the packaged version of the Tomcat Native Library to 1.2.31 to pick up Windows binaries built with OpenSSL 1.1.1l.(markt)
  • Update: Switch to the CDN as the primary download location for ASF dependencies. (markt)
  • Add: Improvements to Chinese translations contributed by syseal, wolibo, ZhangJieWen and DigitalFatCat. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations contributed by tak7iji. (markt)
  • Add: Improvements to Korean translations. (woonsan)

release in progress Tomcat 10.1.0-M4 (markt)

WebSocket

  • Fix: Correct a regression in the Java 8 to Java 11 changes made in 10.1.0-M3 that caused all WebSocket end points to fail to register. (markt)

not released Tomcat 10.1.0-M3 (markt)

General

  • Update: Update the minimum required Java version to Java 11. (markt)

Catalina

  • Code: Incremented the supported Jakarta Servlet version to 6.0 to align with the current development branch of the Jakarta Servlet specification. Plans have changed and the next iteration of the Servlet specification will be 6.0 rather than 5.1. (markt)
  • Fix: 65411: Always close the connection when an uncaught NamingException occurs to avoid connection locking. Submitted by Ole Ostergaard. (remm)
  • Fix: 65433: Correct a regression in the fix for 65397 where a StringIndexOutOfBoundsException could be triggered if the canonical path of the target of a symlink was shorter than the canonical path of the directory in which the symlink had been created. Patch provided by Cedomir Igaly. (markt)
  • Add: 65443: Refactor the CorsFilter to make it easier to extend. (markt)
  • Fix: To avoid unnecessary cache revalidation, do not add an HTTP Expires header when setting adding an HTTP header of CacheControl: private. (markt)
  • Code: Refactor JULI's custom LogManager, the web application class loader implementation, the web resources implementation, the JreLeakPreventionListener implementation and the StandardJarScanner implementation to remove Java 8 specific code now that the minimum Java version has been increased to 11. (markt)
  • Code: Remove all references to the endorsed standards override feature and the specifying of optional packages (extensions) in the manifest as these are not supported in Java 11. (markt)

Coyote

  • Fix: When writing an HTTP/2 response via sendfile (only enabled when useAsyncIO is true) the connection flow control window was sometimes ignored leading to various error conditions. sendfile now checks both the stream and connection flow control windows before writing. (markt)
  • Add: Add debug logging for writing an HTTP/2 response via sendfile. (markt)
  • Fix: Correct bugs in the HTTP/2 connection flow control management that meant it was possible for a connection to stall waiting for a connection flow control window update that had already arrived. Any streams on that connection that were trying to write when this happened would time out. (markt)
  • Fix: 65448: When using TLS with NIO, it was possible for a blocking response write to hang just before the final TLS packet associated with the response until the connection timed out at which point the final packet would be sent and the connection closed. (markt)
  • Fix: 65454: Fix a race condition that could result in a delay to a new request. The new request could be queued to wait for an existing request to finish processing rather than the thread pool creating a new thread to process the new request. (markt)
  • Fix: 65460: Correct a regression introduced in the previous release in the change to reduce the number of small HTTP/2 window updates sent for streams. A logic error meant that small window updates for the connection were dropped. This meant that the connection flow window slowly reduced over time until nothing could be sent. (markt)
  • Fix: Remove NIO workarounds and code that is no longer needed with Java 11. (remm)
  • Code: Refactor the endpoints to remove Java 8 specific code now that the minimum Java version has been increased to 11. (markt)

Jasper

  • Code: Add additional generics to the EL API to align with the latest changes in the EL specification project. (markt)
  • Add: Enable EL lambda expressions to be coerced to functional interfaces. This is an implementation of a proposed extension to the Jakarta Expression Language specification. (markt)
  • Code: Refactor the EL API and implementation to remove Java 8 specific code now that the minimum Java version has been increased to 11. (markt)

WebSocket

  • Code: Refactor the WebSocket implementation to remove Java 8 specific code now that the minimum Java version has been increased to 11. (markt)

Web applications

  • Fix: 65404: Correct a regression in the fix for 63362 that caused the server status page in the Manager web application to be truncated if HTTP upgrade was used such as when starting a WebSocket connection. (markt)

Other

  • Add: Improvements to Chinese translations contributed by ZhangJieWen and chengzheyan. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations contributed by tak7iji. (markt)
  • Add: Improvements to Korean translations. (woonsan)
  • Fix: Use of GraalVM native images no longer automatically disables JMX support. JMX support may still be disabled by calling org.apache.tomcat.util.modeler.Registry.disableRegistry(). (markt)

2021-07-02 Tomcat 10.1.0-M2 (markt)

Catalina

  • Code: Refactor the RemoteIpValve to use the common utility method for list to comma separated string conversion. (markt)
  • Code: Refactor JNDIRealm$JNDIConnection so its fields are accessible to sub-classes of JNDIRealm. (markt)
  • Fix: Fix serialization warnings in UserDatabasePrincipal reported by SpotBugs. (markt)
  • Fix: 65397: Calls to ServletContext.getResourcePaths() no longer include symbolic links in the results unless allowLinking has been set to true. If a resource is skipped because of this change, a warning will be logged as this typically indicates a configuration issue. (markt)

Coyote

  • Fix: 65368: Improve handling of clean closes of inbound TLS connections. Treat them the same way as clean closes of non-TLS connections rather than as unknown errors. (markt)
  • Fix: Modify the HTTP/2 connector not to sent small updates for stream flow control windows to the user agent as, depending on how the user agent is written, this may trigger small writes from the user agent that in turn trigger the overhead protection. Small updates for stream flow control windows are now combined with subsequent flow control window updates for that stream to ensure that all stream flow control window updates sent from Tomcat are larger than overheadWindowUpdateThreshold. (markt)
  • Add: Add additional debug logging to track the current state of the HTTP/2 overhead count that Tomcat uses to detect and close potentially malicious connections. (markt)
  • Update: Many HTTP/2 requests from browsers will trigger one overhead frame and one non-overhead frame. Change the overhead calculation so that a non-overhead frame reduces the current overhead count by 2 rather than 1. This means that, over time, the overhead count for a well-behaved connection will trend downwards. (markt)
  • Update: Change the initial HTTP/2 overhead count from -10 to -10 * overheadCountFactor. This means that, regardless of the value chosen for overheadCountFactor, when a connection opens 10 overhead frames in a row will be required to trigger the overhead protection. (markt)
  • Update: Increase the default overheadCountFactor from 1 to 10 and change the reduction in overhead count for a non-overhead frame from -2 to -20. This allows for a larger range (0-20) to be used for overheadCountFactor providing for finer-grained control. (markt)
  • Fix: Modify the parsing of HTTP header values that use the 1#token to ignore empty elements as per RFC 7230 section 7 instead of treating the presence of empty elements as an error. (markt)
  • Fix: Expand the unit tests for HttpServlet.doHead() and correct the flushing of the response buffer. The buffer used to behave as if it was one byte smaller than the configured size. The buffer was flushed (and the response committed if required) when the buffer was full. The buffer is now flushed (and the response committed if required) if the buffer is full and there is more data to write. (markt)
  • Fix: Fix an issue where concurrent HTTP/2 writes (or concurrent reads) to the same connection could hang and eventually timeout when async IO was enabled (it is enabled by default). (markt)

Jasper

  • Fix: 65387: Correct a regression in the fix for 65124 and restore the local definition of out for tags that implement TryCatchFinally. (markt)
  • Fix: 65390: Correct a regression in the fix for 65124 and restore code that was removed in error leading to JSP compilation failures in some circumstances. (markt)
  • Update: Update to the Eclipse JDT compiler 4.20. (markt)
  • Add: Add support for specifying Java 17 (with the value 17) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the latest supported version will used. (markt)
  • Fix: 65377: Update the Java code generation for JSPs not to use the boxed primitive constructors as they have been deprecated in Java 9 and marked for future removal in Java 16. valueOf() is now used instead. (markt)

WebSocket

  • Code: Refactor the DigestAuthenticator to reuse a shared SecureRandom instance rather than create a new one to generate the cnonce if required. (markt)

Web applications

  • Fix: 65385: Correct the link in the documentation web application the Maven Central repository. (markt)

Other

  • Add: Use JSign to integrate the build script with the code signing service to enable release builds to be created on Linux as well as Windows. (markt)
  • Update: Update the OWB module to Apache OpenWebBeans 2.0.23. (remm)
  • Update: Update the CXF module to Apache CXF 3.4.4. (remm)
  • Fix: 65369 / #422: Add the additional --add-opens=... options required for running Tomcat on Java 16 onwards to the service.bat script to align it with the other start-up scripts. PR provided by MCMicS. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Korean translations. (woonsan)
  • Update: Update JUnit to version 4.13.2. (markt)
  • Update: Update EasyMock to 4.3. (markt)
  • Update: Update Objenesis to 3.2. (markt)
  • Update: Update UnboundID to 6.0.0. (markt)
  • Update: Update CheckStyle to 8.43. (markt)
  • Update: Update SpotBugs to 4.2.3. (markt)
  • Update: Update OSGi annotations to 1.1.0. (markt)

2021-06-15 Tomcat 10.1.0-M1 (markt)

General

  • Code: This release contains all of the changes up to and including those in Apache Tomcat 10.0.6 plus the additional changes listed below. (markt)
  • Code: Remove code previously marked for removal in Tomcat 10.1.x. (markt)

Catalina

  • Code: Incremented the supported Jakarta Servlet version to 5.1 to align with the current development branch of the Jakarta Servlet specification. (markt)
  • Fix: 65301: RemoteIpValve will now avoid getting the local host name when it is not needed. (remm)
  • Fix: 65308: NPE in JNDIRealm when no userRoleAttribute is given. (fschumacher)
  • Add: #412: Add commented out, sample users for the Tomcat Manager app to the default tomcat-users.xml file. Based on a PR by Arnaud Dagnelies. (markt)
  • Add: #418: Add a new option, pass-through, to the default servlet's useBomIfPresent initialization parameter that causes the default servlet to leave any BOM in place when processing a static file and not to use the BOM to determine the encoding of the file. Based on a pull request by Jean-Louis Monteiro. (markt)
  • Fix: #419: When processing POST requests of type multipart/form-data for parts without a filename that are added to the parameter map in String form, check the size of the part before attempting conversion to String. Pull request provided by tianshuang. (markt)
  • Add: Implement the new Cookie methods setAttribute(), getAttribute() and getAttributes() introduced in Servlet 6.0. (markt)
  • Fix: AprLifecycleListener does not show dev version suffix for libtcnative and libapr. (michaelo)
  • Update: Refactor principal handling in UserDatabaseRealm using an inner class that extends GenericPrincipal. (remm)
  • Fix: Enable the default doHead() implementation in HttpServlet to correctly handle responses where the content length needs to be represented as a long since it is larger than the maximum value that can be represented by an int. (markt)
  • Fix: Avoid synchronization on roles verification for the memory UserDatabase. (remm)
  • Fix: Fix the default doHead() implementation in HttpServlet to correctly handle responses where the Servlet calls ServletResponse.reset() and/or ServletResponse.resetBuffer(). (markt)
  • Fix: Fix the default doHead() implementation in HttpServlet to correctly handle responses generated using the Servlet non-blocking API. (markt)

Coyote

  • Fix: 65303: Fix a possible NullPointerException if an error occurs on an HTTP/1.1 connection being upgraded to HTTP/2 or on a pushed HTTP/2 stream. (markt)
  • Update: Simplify AprEndpoint socket bind for all platforms. (michaelo)
  • Fix: 65340: Add missing check for a negative return value for Hpack.decodeInteger in the HpackDecoder, which could cause a NegativeArraySizeException exception. Submitted by Thomas, and verified the fix is present in the donated hpack code in a further update. (remm)
  • Add: Add debug logging for HTTP/2 HPACK header decoding. (markt)
  • Fix: Correct parsing of HTTP headers consisting of a list of tokens so that a header with an empty token is treated consistently regardless of whether the empty token is at the start, middle or end of the list of tokens. (markt)
  • Fix: Remove support for the identity transfer encoding. The inclusion of this encoding in RFC 2616 was an error that was corrected in 2001. Requests using this transfer encoding will now receive a 501 response. (markt)
  • Fix: Process transfer encoding headers from both HTTP 1.0 and HTTP 1.1 clients. (markt)
  • Fix: Ensure that if the transfer encoding header contains the chunked, that the chunked encoding is the final encoding listed. (markt)

Jasper

  • Code: Incremented the supported Jakarta Expression Language version to 5.0 to align with the current development branch of the Jakarta Expression Language specification. (markt)
  • Code: Review code used to generate Java source from JSPs and tags and remove code found to be unnecessary. (markt)
  • Code: Refactor use of internal ChildInfo class to use compile time type checking rather than run time type checking. (markt)
  • Fix: 65124: Partial fix. When generating Java source code to call a tag handler, only define the local variable JspWriter out when it is going to be used. (markt)
  • Code: Add generics to the EL 5.0 API to align with the current EL 5.0 development branch. (markt)
  • Update: Update the web-fragment.xml included in jasper.jar and jasper-el.jar to use the Servlet 5.0 schema. (markt)
  • Fix: Update JspC to generate web.xml and web-fragment.xml files using Servlet 5.0 schemas. (markt)
  • Code: Remove the deprecated method MethodExpression.getParmetersProvided() from the EL API to align with the current EL 5.0 development branch. (markt)
  • Fix: 65358: Improve expression language method matching for methods with varargs. Where multiple methods may match the provided parameters, the method that requires the fewest varargs is preferred. (markt)
  • Add: 65332: Add a commented out section in catalina.policy that provides the necessary permissions to compile JSPs with javac when running on Java 9 onwards with a security manager. It is commented out as it will cause errors if used with earlier Java versions. (markt)

WebSocket

  • Fix: 65317: When using permessage-deflate, the WebSocket connection was incorrectly closed if the uncompressed payload size was an exact multiple of 8192. Based on a patch provided by Saksham Verma. (markt)
  • Update: Update the web-fragment.xml included in tomcat-websocket.jar to use the Servlet 5.0 schema. (markt)
  • Fix: 65342: Correct a regression introduced with the fix for 65262 that meant Tomcat's WebSocket implementation would only work with Tomcat's implementation of the Jakarta WebSocket API. (markt)

Web applications

  • Fix: Improve the description of the maxConnections and acceptCount attributes in the Connector section of the documentation web application. (markt)

Other

  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Korean translations. (woonsan)
  • Fix: 65362: Correct a regression in the previous release. The change to create OSGi Require-Capability sections in manifests for Jakarta API JARs manually rather than with bnd annotations did not add the necessary manual entries to the embedded JARs. (markt)
  • Update: Update the packaged version of the Tomcat Native Library to 1.2.30. Also update the minimum recommended version to 1.2.30. (markt)